Ethics of Virus Research Self-Replicating Code Essay

Self-replicating code, such as viruses and worms, are a part of the Internet landscape. The nature of their design means that they can quickly spread around the globe, causing outages and threatening Internet stability. Ford, Bush and Boulatov theorized that outbreaks of viruses are actually beneficial, comparing bouts of self-replicating code to the biological analogy known as the Intermediate Disturbance Hypothesis, and its effects of driving diversity. This paper will overview Ford, Bush and Boulatov's theory regarding these benefits and then discuss possible alternative technical measures that could achieve similar societal benefits in less ethically-suspect ways. The legal implications will be explored, including in what ways the law would have to be changed to make a deliberate release of viruses and worms lawful. Lastly, the safeguards that would have to be built into such changes will be overviewed.

Ford, Bush and Boulatov's Benefits of Viruses to the Internet:

Buy full paperfor $19.77 Self-replicating code, such as viruses and worms, are a common feature in today's Internet world. For this reason, Internet users must rely on an anti-virus software to protect them from an attack. Yet, this protection is limited primarily to being reactive, which means viruses and worms that evade detection can quickly become pandemic. Ford, Bush and Boulatov cite the example of the SQL Slammer worm, that occurred on January 25th, 2003. With a minimum population doubling time of less than 10 seconds, SQL Slammer disrupted numerous networks and affected global Internet routing protocols. "Within ten minutes, it had taken over 90% of all unpatched computers running SQL Server or MSDE on the Internet" (Panko 207). Although work continues on more proactive detection of malicious mobile code (MMC), there is still the possibility that a worm outbreak could be catastrophic.

Essay on Ethics of Virus Research Self-Replicating Code, Such Assignment

Advancements in connectivity and increases in support of standards has led to an environment perfect for the release of MMC. Threats of worms have led to increased management and maintenance costs (Xia et al.). Today's worms, however, are only a small taste of what will be developed in the future. This likely advancement in MMC effectiveness is compounded by the Internet's fragility. Although the Internet is distributed by nature, "the presence of many infected machines is a powerful force multiplier" (Ford, Bush & Boulatov 4). In addition, certain critical pieces of the Internet, such as the root Domain Name Servers (DNS) are a particularly crucial attack point that MMC may target. A worm infecting a small number of machines does not pose much of a threat to the Internet; but if a worm is widespread enough to infect tens of thousands or more, it's much more easy for them to wreak havoc on the Internet's critical systems.

Ford, Bush and Boulatov noted that natural systems are more resilient than their virtual counterparts, due to the diversity of biological systems. Part of this robustness is due to continual random disturbances that natural systems must deal with. These disturbances create 'gaps' that allow other pioneer species to invade, increasing diversity, stability, and resilience. Ford, Bush and Boulatov use forest fires and controlled burns of the forest as an example, when the fire is at an appropriate level, it leaves room for diverse species to flourish, while still allowing the original forest to not only survive, but thrive. However, if the fire burns out of control, it can destroy the entire forest. Interestingly, "large malcode outbreaks (or more importantly, perhaps, outbreaks which were widely reported in the popular press) generate significant spurts of virus scanning and improve security globally" (5).

Continuing with the forest fire analogy, without the threat of MMC to motivate computer users to pay attention to their security, security standards would falter. Without the perceived threat, effort in protective measures will decline. This would then be like forest dry from a long drought. One single spark, a well-written piece of malware, could then cause catastrophic damage to the entire virtual forest. For this reason, a deliberately released worm, within the restrictions of specific parameters, could act as a controlled forest fire burn -- forcing administrators to update their security. The damage from this worm would be significantly less than if a truly malicious worm were released. This is the basis of Ford, Bush and Boulatov's recommendation to intentionally release a controlled threat that would not patch susceptible systems, but would possibly render them unexploitable for a period of time. In this way, administrators would then be forced to take action that would protect them from more virulent and damaging pieces of MMC later.

This proposal raises a variety of ethical concerns. Revisiting the SQL Slammer outbreak, it becomes clear that what Ford, Bush and Boulatov recommend could have the effect they surmise. "Slammer exploited a vulnerability that was known six months before Slammer hit; a patch from Microsoft was available all that time. Microsoft labeled this patch as 'critical.' Yet the rapid spread of Slammer indicated that large numbers of systems administrators failed to apply the patch" (Panko 207-8). An earlier release of a controlled worm could have forced these administrators to update their systems, saving them the massive damage SQL Slammer caused later. However, this goes against the basic tenet of nonmaleficence in computer ethics (Frohmann). Although this harm may result in 'greater good', it is still ethically questionable, given that harm would still be done. Add to this the concern regarding the power security software companies would now have on users, were this recommendation to come to fruition.

If software companies were allowed to produce and release MMC, in a 'controlled burn' type effort, the conflict of interest becomes apparent. Companies would emerge who's sole source of revenue would lie in developing this code and even developing patches for the code. Internet users would be at their mercy. It would be much like a Mafia enforcer coming to a business and extorting "protection" money from the owner, when the primary threat to the business is the Mafia itself. Certainly some other gang may come into town and threaten the business and this protection would prevent that, but is it right to force the business owner to pay for protection, with now an assured threat?

Less Ethically-Suspect Alternatives:

Education is perhaps the most ethically sound alternative, to achieve the same societal benefits of increased security. As Ledin noted, most computer security courses are simply guided tours of concepts and terminology. They have very little technical content. Even those taken as elective courses by computer science majors find the course focused on cryptography. The topics of viruses and worms get the least amount of coverage. "Anecdotal and historical information about them may be presented, but source code discussions are rare and programming a virus or worm and their antidotes is seldom required" (144). Expansion of knowledge of the potential damage MMC can cause, and the best methods of thwarting such attacks, to the general public would increase awareness and increase the likelihood that another SQL Slammer outbreak does not occur. Preparing computer professionals with the skills necessary to program antidotes would also help ensure that users are protected.

Another alternative is the development of operating software that makes patch updates mandatory, for those with an Internet connection. Currently, Microsoft's Automatic Update allows users to either be notified of updates or installing them immediately. Mac OS X automatically checks for updates, but allows users the option of opting out of specific updates, if they'd like. Linux is even more complex with its varied methods of patching. However, an operating system that did not give the user the option of not installing a security patch would also remedy with situation.

Legal Implications of Controlled Worm Releases:

One only has to recall the worldwide cost of the 'I Love You' bug, released in the spring of 2000, to understand why the release of worms is legally prohibited. In the first five days of its release, the Love Bug cost the world approximately $6.7 billion. Onel de Guzman, of the Philippines, reportedly 'accidentally' released the virus. However, the Philippines did not have a law on the books to prosecute de Guzman. de Guzman went free, not for lack of evidence against him, but for lack of law. The Philippines quickly reacted to remedy the situation and the eCommerce Act of 2000 was developed. Europe too banded together for a Convention on Cybercrime, to write their own international version of Philippines' law (Malibiran). The National Information Infrastructure Protection Act of 1996 was passed in America to address cybercrimes as well ("National Information"), followed by several other pieces of legislature including the Computer Fraud and Abuse Act (Montana) and the more broadly defined Fraud Act of 2006 (Johnson & Rogers).

The Computer Fraud and Abuse Act specifically makes it "illegal to distribute computer code or place it in the stream of commerce with intent to cause damage or economic loss" (Montana 58). Even if Bush, Ford and Boulatov's controlled-burn type code was to facilitate future resilience and stability, it would be irrelevant. Whether one knowingly…
[END OF PREVIEW] . . . READ MORE